Husband and Wife Arrested in Ukraine for Ransomware Attacks on Foreign Companies

In recent times, Eastern Europe has emerged as somewhat of a safe haven and Wild West for various cybercriminal gangs, away from U.S. authorities’ prying eyes and reach. For example, the FBI recently uncovered evidence that the infamous HelloKitty gang operates out of Ukraine.

However, the FBI and Ukrainian authorities have stepped up their cooperation throughout 2021, culminating in the arrest of 6 CLOP ransomware gang members.


Developing an effective response capability to ransomware requires taking specific steps for prevention, preparation, detection, verification, containment, eradication, and recovery. With LIFARS Ransomware Response Package, you will have the tools, processes, and team at your disposal to stand ready for even the most devious ransomware attack.


Now, in a special operation orchestrated by the FBI and Ukrainian police, a husband and wife were among five alleged cybercriminal gang members arrested for carrying out attacks against as many as 50 companies across the U.S. and Europe, causing an estimated $1 million in financial losses.

As part of the sting operation, properties associated with the attackers were raided at least nine times. Police confiscated mobile phones, computers, flash drives, bank cards, three cars, and other items of interest to the investigation.

Ukrainian authorities may now be more incentivized to act against cyber criminals after the country has seen a wave of cyberattacks launched against it. Many are suspected of being orchestrated or sponsored by the Russian government in an effort to destabilize the country in light of the geopolitical conflict between the two.

The Cyber Police unit of the National Police of Ukraine claims that the arrested individuals were suspected of running a “hacking service.” Specifically, they would act as a middleman, facilitating the sending of phishing emails that would contain attachments infected with ransomware. Unfortunately, at this time, the police have not mentioned which strain of ransomware or gang these criminals were in bed with.

They also offered IP-address spoofing services to cyber gangs all across the globe. This allowed attackers to hack systems owned by governments and businesses and launch crippling DDoS attacks.

However, these types of cooperative ventures have become more common as threat actors look for more lucrative opportunities or scale their operations. This kind of partnership or the use of “affiliates” allow ransomware gangs to focus on developing their malware and staying ahead of countermeasures while others can focus on finding and targeting business or individuals to attack.

This is just one example of the rapid evolution of TTPs (techniques, tactics, and procedures) and modes of operation employed by cyber threat actors today. And, it’s what keeps contributing to a more varied threat landscape with more sophisticated cybercrime networks.

At the same time, these actors are becoming more proficient at laundering funds they have successfully stolen to evade law enforcement and make it near-impossible for victims to retrieve their losses.

“To launder criminal proceeds, the offenders conducted complex financial transactions using several online services, including those banned in Ukraine,” the Security Service of Ukraine (SSU) said. “At the last stage of converting assets into cash, they transferred funds to payment cards of an extensive network of fictitious persons”.

The National Police of Ukraine has been involved in a number of similar busts in recent years. While it’s too soon to tell, the hope is that the reputation of Ukraine and other countries from the East European bloc as a safe haven for hackers is finally coming to an end.



Cyberpolice exposes hacker group to attack foreign companies with encryption virus